# Localization - suppress all locale questions
d-i debian-installer/locale string en_US.UTF-8
d-i debian-installer/supported_locales multiselect en_US.UTF-8
d-i console-setup/ask_detect boolean false
d-i console-setup/layoutcode string us
d-i console-setup/variantcode string

# Keyboard
d-i keyboard-configuration/xkb-keymap select us
d-i keyboard-configuration/toggle select No toggling

# Set debconf priority to high (allows user password prompts)
# Using 'critical' suppresses the non-root user password prompt
d-i debconf/priority select high

# Network configuration
d-i netcfg/choose_interface select auto
d-i netcfg/disable_autoconfig boolean false
d-i netcfg/get_hostname string knel-football
d-i netcfg/get_domain string knel.net
d-i netcfg/hostname string knel-football

# Mirror configuration
d-i mirror/country string manual
d-i mirror/http/hostname string deb.debian.org
d-i mirror/http/directory string /debian
d-i mirror/http/proxy string

# Clock and time zone setup
d-i time/zone string US/Chicago
d-i clock-setup/utc boolean true
d-i clock-setup/ntp boolean true

# User setup
# SECURITY: Passwords are prompted during installation, not hardcoded
# This ensures each installation has unique credentials
d-i passwd/user-fullname string football user
d-i passwd/username string football
# Force password prompt during installation
d-i passwd/user-password-crypted string !
d-i passwd/root-password-crypted string !
d-i passwd/root-login boolean true

# Password quality enforcement (MANDATORY for tier0 security)
d-i passwd/make-user boolean true
d-i passwd/user-default-groups string audio,video,plugdev,input,cdrom,floppy

# PAM password quality configuration (enforced in installed system)
# This will be configured in post-installation hooks

# Partitioning (LUKS full disk encryption - MANDATORY)
# For UEFI systems, we need: EFI System Partition, /boot, encrypted LUKS+LVM
d-i partman-auto/disk string /dev/sda
d-i partman-auto/method string crypto
d-i partman-auto-lvm/device_remove_lvs boolean true
d-i partman-auto-lvm/device_remove_lvs_span boolean true
d-i partman-auto-lvm/guided_size string max
d-i partman-auto-lvm/new_vg_name string knel_vg

# Expert recipe for UEFI + encrypted LVM
# Structure: ESP (EFI) -> /boot -> LUKS encrypted container -> LVM VG -> root + swap
d-i partman-auto/expert_recipe string                         \
      efi-boot-root ::                                         \
              256 512 512 fat32                                \
                      $primary{ }                              \
                      method{ efi } format{ }                  \
                      use_filesystem{ } filesystem{ fat32 }    \
              .                                               \
              512 1024 512 ext4                                \
                      $primary{ } $bootable{ }                \
                      method{ format } format{ }              \
                      use_filesystem{ } filesystem{ ext4 }    \
                      mountpoint{ /boot }                      \
              .                                               \
              10000 20000 -1 ext4                              \
                      $lvmok{ }                                \
                      in_vg{ knel_vg }                          \
                      lv_name{ root }                          \
                      method{ format } format{ }              \
                      use_filesystem{ } filesystem{ ext4 }    \
                      mountpoint{ / }                         \
              .                                               \
              1024 200% 8192 linux-swap                        \
                      $lvmok{ }                                \
                      in_vg{ knel_vg }                          \
                      lv_name{ swap }                          \
                      method{ swap } format{ }                \
              .

# LUKS encryption configuration (AES-XTS, 256-bit key)
# NOTE: Passphrase will be prompted during installation
# REQUIREMENTS: 14+ characters, mix of upper/lower/digits/special
# This passphrase unlocks the encrypted disk at boot time
d-i partman-crypto/erase_disks boolean true
d-i partman-crypto/erase_disks_secure boolean true

# LUKS cipher selection
d-i partman-crypto/cipher aes-xts-plain64
d-i partman-crypto/keysize 512
d-i partman-crypto/lvm boolean true

# LUKS2 format (modern, more secure)
d-i partman-crypto/use-luks2 boolean true

# Confirm partitioning
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true

# Package selection
tasksel tasksel/first multiselect standard
d-i pkgsel/include string \
    icewm \
    lightdm \
    remmina \
    wireguard \
    wireguard-tools \
    mousepad \
    zbar-tools \
    nftables \
    openssh-client \
    cryptsetup \
    cryptsetup-initramfs \
    busybox \
    dmsetup \
    libpam-pwquality

# Boot loader configuration
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean false
d-i grub-installer/bootdev string default
d-i grub-installer/force-efi-extra-removable boolean true

# Popularity contest - do not participate
popularity-contest popularity-contest/participate boolean false

# Security configuration
d-i security/updates select none
d-i passwd/shadow boolean true

# Finish
d-i finish-install/reboot_in_progress note
d-i cdrom-detect/eject boolean false

# Skip additional prompts
d-i apt-setup/contrib boolean false
d-i apt-setup/non-free boolean false
d-i apt-setup/backports boolean false
d-i apt-setup/services-select multiselect

# Don't ask about kernel flavors
d-i base-installer/kernel/image select linux-image-amd64

# Don't ask about hostname confirmation
d-i netcfg/confirm_static boolean true